Advertising company given access to 1.6 million NHS patient records

The New Scientist has obtained a document revealing that an advertising company has been given access to some 1.6 million UK National Health Service patient records.

The name of the advertising company? You may have heard of it. It’s Google.

Well, strictly speaking it’s a Google-owned AI firm called DeepMind, and the agreement apparently states that the Google cannot use any of the data in other parts of its business.

But as the New Scientistexplains the medical data collected will extend far beyond those with kidney conditions:

The document – a data-sharing agreement between Google-owned artificial intelligence company DeepMind and the Royal Free NHS Trust – gives the clearest picture yet of what the company is doing and what sensitive data it now has access to.

The agreement gives DeepMind access to a wide range of healthcare data on the 1.6 million patients who pass through three London hospitals run by the Royal Free NHS Trust – Barnet, Chase Farm and the Royal Free – each year. This will include information about people who are HIV-positive, for instance, as well as details of drug overdoses and abortions. The agreement also includes access to patient data from the last five years.

One hopes that Google will respect patients’ privacy, and not attempt to misuse the information. You may also want to cross your fingers that the systems are properly secured - as even leading technology companies like Google have been compromised by state-sponsored hackers with the intent of spying.

It seems that the data itself will not be stored in DeepMind’s offices but with a separate UK company contracted by Google. DeepMind is apparently obliged to delete its copy of the data when its agreement with the NHS Trust expires at the end of September 2017.

There’s no doubt in my mind that Google is one of the better data-crunchers out there, and they probably could do some extraordinary work in analysing vast amounts of medical records in an attempt to provide better treatment for those who need it.

But I’m also all too aware that they are primarily an advertising company - eager to gather as much personal information about people’s lives, habits, relationships and health because of the huge opportunities for monetisation.

There is a real need to tread carefully here.

If you don’t like the idea of Google and other non-NHS organisations rifling through your medical records, the answer is to opt-out according to BBC News.

Opting out. That’s always the route offered by cowardly internet companies who want to grab your data, and are worried that Joe Public won’t see the benefit of opting in.

Wouldn’t it be a breath of fresh air to see an internet company ask people to actually opt-in to have their data shared more broadly, just once?

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

“It seems that the data itself will not be stored in DeepMind’s offices but with a separate UK company contracted by Google.”

That statement worries me, because, if the UK company’s security is not up to scratch, then it will be hacked - extremely valuable data attracts the most ardent and capable hackers. Google has a lot more ability to secure itself than a small, “unheard of” UK company. That data is going to be leaked!

Whilst the contract insists that personally identifiable information, such as Name, Address, Post Code, NHS number, Data of Birth, Telephone number, e-mail address, must be encrypted whilst in transit to Google, it does not explicitly prohibit that data being held unencrypted at the non-NHS location. Moreover, it is usual for such personal data to be pseudonymised, so to mask the true identity of the patient. However, in this contract it explicitly states on page 5 : “as this data is being held for direct patient care purposes, pseudonymisation is not required”. Therefore there is some risk that personal data could be accessed at the non-NHS location. If the researchers are not intending contacting the patients themselves, why can’t they just use the NHS number plus say Gender and Data of Birth and Postal Region, given that sharing of Name, Address, Telephone number & e-mail address could be considered excessive (and thus in breach of Data Protection Principle No.3)?

Smashing Security podcast

Online drug dealers get busted due to poor OPSEC! People are still failing to wipe their USB sticks properly! A potential presidential candidate is outed as a former hacker! Flat Earthers! Pi! Empathy!